wireless-net/trunk/sbin/gen-wlan-files.py
arekm
cvs at pld-linux.org
Tue Mar 21 22:05:32 CET 2006
Author: arekm
Date: Tue Mar 21 22:05:29 2006
New Revision: 7260
Modified:
wireless-net/trunk/sbin/gen-wlan-files.py
Log:
Support for packets/s limit.
Modified: wireless-net/trunk/sbin/gen-wlan-files.py
==============================================================================
--- wireless-net/trunk/sbin/gen-wlan-files.py (original)
+++ wireless-net/trunk/sbin/gen-wlan-files.py Tue Mar 21 22:05:29 2006
@@ -1,8 +1,13 @@
#!/usr/bin/python
# Generate all required files (pap-secrets, ipac-ng.conf, oidentd_masq.conf etc)
-# (C) 2002, 2003, 2004, 2005 Arkadiusz Miskiewicz <arekm at pld-linux.org>
+# (C) 2002, 2003, 2004, 2005, 2006 Arkadiusz Miskiewicz <arekm at maven.pl>
-import string, os, re, ConfigParser, socket, fcntl;
+import string
+import os
+import re
+import ConfigParser
+import socket
+import fcntl
SIOCGIWNAME = 0x8B01
@@ -16,13 +21,18 @@
s.close()
return True
-is_p2p = os.system("iptables -m p2p --help > /dev/null 2>&1")
+def run(cmd, failcheck=True):
+ ret = os.system(cmd)
+ if failcheck and ret != 0:
+ print "WARNING: Command [%s] failed!" % (cmd)
+
+is_p2p = run("iptables -m p2p --help > /dev/null 2>&1", False)
if is_p2p == 0:
is_p2p = True
else:
is_p2p = False
-is_ipp2p = os.system("iptables -m ipp2p --help > /dev/null 2>&1")
+is_ipp2p = run("iptables -m ipp2p --help > /dev/null 2>&1", False)
if is_ipp2p == 0:
is_ipp2p = True
else:
@@ -45,40 +55,50 @@
ap_iface = string.split(config.get('base', 'ap_iface'), ',')
r_cfg = config.get('base', 'r_cfg')
-ipac = config.get('base', 'ipac')
chap_sec = config.get('base', 'chap_sec')
oid_cfg = config.get('base', 'oid_cfg')
mrtg_cfg = config.get('base', 'mrtg_cfg')
hostname = config.get('base', 'hostname')
use_htb = config.getboolean('base', 'use_htb')
-old_ipac = config.getboolean('base', 'use_old_ipac')
+
+ipac = False
+use_ipac = False
+old_ipac = False
+try:
+ ipac = config.get('base', 'ipac')
+ use_ipac = config.getboolean('base', 'use_ipac')
+ old_ipac = config.getboolean('base', 'use_old_ipac')
+except ConfigParser.NoOptionError:
+ pass
fp = open(r_cfg, "r")
fppap = open(chap_sec, "w")
fppap.write("# login host pass ip\n")
-fpipac = open(ipac, "w")
+if use_ipac:
+ fpipac = open(ipac, "w")
fpoid = open(oid_cfg, "w")
fpoid.write("# IP-ADDRESS[/<mask>] USER-NAME SYSTEM-TYPE\n")
fpmrtg = open(mrtg_cfg, "w")
fpmrtg.write("WorkDir: /etc/mrtg/logs\nLanguage: Polish\nImageDir: /etc/mrtg/images\n")
fpmrtg.write("LogFormat: rrdtool\n")
-for elem in ifaces:
- print "Writting fetchipac config for %s interface." % elem
- if old_ipac:
- fpipac.write("%s_in_all|in|%s|all||\n" % (elem, elem))
- fpipac.write("%s_out_all|out|%s|all||\n" % (elem, elem))
- else:
- fpipac.write("%s_in_all|ipac~o|%s|all|||\n" % (elem, elem))
- fpipac.write("%s_out_all|ipac~i|%s|all|||\n" % (elem, elem))
+if use_ipac:
+ for elem in ifaces:
+ print "Writting fetchipac config for %s interface." % elem
+ if old_ipac:
+ fpipac.write("%s_in_all|in|%s|all||\n" % (elem, elem))
+ fpipac.write("%s_out_all|out|%s|all||\n" % (elem, elem))
+ else:
+ fpipac.write("%s_in_all|ipac~o|%s|all|||\n" % (elem, elem))
+ fpipac.write("%s_out_all|ipac~i|%s|all|||\n" % (elem, elem))
- if is_wireless(elem):
- os.system("/sbin/iwspy %s off 2> /dev/null" % elem)
+ if is_wireless(elem):
+ run("/sbin/iwspy %s off 2> /dev/null" % elem, False)
for elem in mrtg_links:
iface = elem[2]
if is_wireless(iface):
- os.system("/sbin/iwspy %s off 2> /dev/null" % iface)
+ run("/sbin/iwspy %s off 2> /dev/null" % iface, False)
for elem in mrtg_links:
host = string.strip(elem[0])
@@ -102,26 +122,29 @@
fpmrtg.write("\n")
if is_wireless(iface):
- os.system("/sbin/iwspy %s + %s" % (iface, mac))
+ run("/sbin/iwspy %s + %s" % (iface, mac))
for iface in ap_iface:
print "Preparing root tc queue for %s interface." % iface
- os.system("tc qdisc del root dev %s 2> /dev/null" % iface)
+ run("tc qdisc del root dev %s 2> /dev/null" % iface, False)
if use_htb:
- os.system("tc qdisc add dev %s root handle 1:0 htb r2q 1" % iface)
- os.system("tc class add dev %s parent 1:0 classid 1:1 htb rate 10mbit ceil 10mbit" % iface)
+ run("tc qdisc add dev %s root handle 1:0 htb r2q 1" % iface)
+ run("tc class add dev %s parent 1:0 classid 1:1 htb rate 10mbit ceil 10mbit" % iface)
else:
- os.system("tc qdisc add dev %s root handle 1:0 cbq bandwidth 10mbit avpkt 1000 mpu 64" % iface)
+ run("tc qdisc add dev %s root handle 1:0 cbq bandwidth 10mbit avpkt 1000 mpu 64" % iface)
+
+run("iptables -N peer2peer 2> /dev/null", False)
+run("iptables --flush peer2peer")
-os.system("iptables -N peer2peer 2> /dev/null")
-os.system("iptables --flush peer2peer")
+run("iptables -N packets 2> /dev/null", False)
+run("iptables --flush packets")
-os.system("iptables -N apchain 2> /dev/null")
-os.system("iptables --flush apchain")
+run("iptables -N apchain 2> /dev/null", False)
+run("iptables --flush apchain")
-os.system("iptables -t mangle -N apchain 2> /dev/null")
-os.system("iptables -t mangle --flush apchain")
+run("iptables -t mangle -N apchain 2> /dev/null", False)
+run("iptables -t mangle --flush apchain")
for line in fp:
c = re.compile("^\d+\s+\w+\s+\w+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{1,6}\s+\d{1,6}\s+[\w-]+\s+[\w:]+")
@@ -142,46 +165,56 @@
if passwd != "apuser":
fppap.write("%s\t%s\t%s\t%s\n" % (login, "\"*\"", passwd, ip))
-
- if old_ipac:
- fpipac.write("%s_%s_in|in||all|%s|\n" % (host, ip, ip))
- fpipac.write("%s_%s_out|out||all||%s\n" % (host, ip, ip))
- else:
- fpipac.write("%s_%s_in|ipac~o||all|%s||\n" % (host, ip, ip))
- fpipac.write("%s_%s_out|ipac~i||all||%s|\n" % (host, ip, ip))
+
+ if use_ipac:
+ if old_ipac:
+ fpipac.write("%s_%s_in|in||all|%s|\n" % (host, ip, ip))
+ fpipac.write("%s_%s_out|out||all||%s\n" % (host, ip, ip))
+ else:
+ fpipac.write("%s_%s_in|ipac~o||all|%s||\n" % (host, ip, ip))
+ fpipac.write("%s_%s_out|ipac~i||all||%s|\n" % (host, ip, ip))
fpoid.write("%s\t\t%s%s-%s\t%s\n" % (ip, hostname[0], nr, login, "UNIX"))
+ run("iptables --flush packets_%s 2> /dev/null" % (nr), False)
+ run("iptables -N packets_%s 2> /dev/null" % (nr), False)
+ run("iptables -A packets_%s -m limit --limit 100/s -j RETURN" % (nr))
+ run("iptables -A packets_%s -p tcp -j REJECT --reject-with tcp-reset" % (nr))
+ run("iptables -A packets_%s -p udp -j REJECT --reject-with icmp-port-unreachable" % (nr))
+ run("iptables -A packets_%s -j DROP" % (nr))
+ run("iptables -A packets -s %s -j packets_%s" % (ip, nr))
+ run("iptables -A packets -d %s -j packets_%s" % (ip, nr))
+
if is_p2p:
- os.system("iptables -A peer2peer -p tcp -s %s -m connlimit --connlimit-above 10 -m p2p --p2p all -j REJECT" % (ip))
+ run("iptables -A peer2peer -p tcp -s %s -m connlimit --connlimit-above 10 -m p2p --p2p all -j REJECT" % (ip))
if is_ipp2p:
- os.system("iptables -A peer2peer -p tcp -s %s -m connlimit --connlimit-above 10 -m ipp2p --ipp2p -j REJECT" % (ip))
+ run("iptables -A peer2peer -p tcp -s %s -m connlimit --connlimit-above 10 -m ipp2p --ipp2p -j REJECT" % (ip))
if passwd == "apuser":
for iface in ap_iface:
- os.system("ip neigh del %s dev %s" % (ip, iface))
+ run("ip neigh del %s dev %s" % (ip, iface))
if mac != "any":
- os.system("iptables -A apchain -i %s -s %s -m mac --mac-source %s -j ACCEPT" % (iface, ip, mac))
- os.system("ip neigh replace %s lladdr %s dev %s" % (ip, mac, iface))
+ run("iptables -A apchain -i %s -s %s -m mac --mac-source %s -j ACCEPT" % (iface, ip, mac))
+ run("ip neigh replace %s lladdr %s dev %s" % (ip, mac, iface))
else:
- os.system("iptables -A apchain -i %s -s %s -j ACCEPT" % (iface, ip))
- os.system("iptables -A apchain -o %s -d %s -j ACCEPT" % (iface, ip))
+ run("iptables -A apchain -i %s -s %s -j ACCEPT" % (iface, ip))
+ run("iptables -A apchain -o %s -d %s -j ACCEPT" % (iface, ip))
if speed_down != "0":
if use_htb:
- os.system("tc class add dev %s parent 1:1 classid 1:1%s htb rate %skbit ceil %skbit prio 1" % (iface, nr, speed_down, speed_down))
- os.system("tc qdisc add dev %s parent 1:1%s sfq perturb 10" % (iface, nr))
+ run("tc class add dev %s parent 1:1 classid 1:1%s htb rate %skbit ceil %skbit prio 1" % (iface, nr, speed_down, speed_down))
+ run("tc qdisc add dev %s parent 1:1%s sfq perturb 10" % (iface, nr))
else:
- os.system("tc class add dev %s parent 1:0 classid 1:1%s est 2sec 16sec cbq bandwidth 10mbit rate %skbit allot 1504b weight 1 prio 1 maxburst 10 avpkt 512 bounded" % (iface, nr, speed_down))
- os.system("tc qdisc add dev %s parent 1:1%s sfq perturb 10" % (iface, nr))
- os.system("tc filter add dev %s parent 1:0 protocol ip u32 match ip dst %s flowid 1:1%s" % (iface, ip, nr))
+ run("tc class add dev %s parent 1:0 classid 1:1%s est 2sec 16sec cbq bandwidth 10mbit rate %skbit allot 1504b weight 1 prio 1 maxburst 10 avpkt 512 bounded" % (iface, nr, speed_down))
+ run("tc qdisc add dev %s parent 1:1%s sfq perturb 10" % (iface, nr))
+ run("tc filter add dev %s parent 1:0 protocol ip u32 match ip dst %s flowid 1:1%s" % (iface, ip, nr))
if speed_up != "0":
# 8 bits, 1500 bytes (average packet size)
speed_up_sec = int(round(int(speed_up)/(8*1.5)))
if speed_up_sec < 1:
speed_up_sec = 1
- os.system("iptables -t mangle -A apchain -i %s -s %s -m limit --limit %s/s -m length --length 151:1500 -j RETURN" % (iface, ip, speed_up_sec))
- os.system("iptables -t mangle -A apchain -i %s -s %s -m length --length 151: -j DROP" % (iface, ip))
+ run("iptables -t mangle -A apchain -i %s -s %s -m limit --limit %s/s -m length --length 151:1500 -j RETURN" % (iface, ip, speed_up_sec))
+ run("iptables -t mangle -A apchain -i %s -s %s -m length --length 151: -j DROP" % (iface, ip))
if mac == "any":
continue
@@ -202,14 +235,17 @@
fpmrtg.write("\n")
if passwd != "apuser" and is_wireless(pppoe_iface):
- os.system("/sbin/iwspy %s + %s" % (pppoe_iface, mac))
+ run("/sbin/iwspy %s + %s" % (pppoe_iface, mac))
fpmrtg.close()
fpoid.close()
-fpipac.close()
+if use_ipac:
+ fpipac.close()
fppap.close()
fp.close()
-os.system("iptables -A peer2peer -j RETURN")
-os.system("iptables -A apchain -j RETURN")
-os.system("iptables -t mangle -A apchain -j RETURN")
-os.system("/usr/sbin/fetchipac -S")
+run("iptables -A packets -j REJECT")
+run("iptables -A peer2peer -j RETURN")
+run("iptables -A apchain -j RETURN")
+run("iptables -t mangle -A apchain -j RETURN")
+if use_ipac:
+ run("/usr/sbin/fetchipac -S")
More information about the pld-cvs-commit
mailing list